SMiShing

SMiShing (SMS + Phishing) involves “phishing” for personal information using SMS text messages and tricking a user into downloading a Trojan horse, virus, or other malware onto their cell phone or other mobile device. SMiShing is a variant of phishing email scams. How do they do it and why, and how do you avoid it?

But first, some SMiShing background.

Security Awareness

SMiShing Background

OS Vulnerabilities

The term SMiShing hit the headlines in the early 2000s, when vulnerabilities in the text messaging services of smart phone operating systems, like iOS and Android, were discovered. Security specialist McAfee cautioned that Windows and Symbian users were at greater risk. The ability for users to add their own software to devices running these operating systems made them more vulnerable than the closed operating systems used on BlackBerry (RIM) and many Linux-based devices. iOS and Android users were, understandably, not completed reassured.

The problem is that, even as developers plug security loopholes, the SMiShers find new ones, and, of course, people who don’t upgrade their phones are left with the existing loopholes intact. As recently as last year, researchers found a new loophole in Google’s Android OS which was quickly patched. However, despite some uncertainty about whose responsibility it is to roll out patches to users – manufacturers, carriers or, in this case, Google itself – it still remains the ultimate responsibility of the user to update their software, and many people just don’t.

SMiShing in the News in 2016

The twin issues of blame and responsibility for SMiShing attacks became subjects of hot debate in cyberspace in early 2016 when news agencies reported that Edward Smith, a customer of UK bank Santander, had lost £22,700 in a SMiShing scam. Fraudsters had sent him an SMS alerting him to some questionable activity on his account, viz., a large outgoing payment. Knowing he had not authorized the payment, Mr. Smith called the number in the message, assuming it was for a direct line to Santander, and spoke to the fraudsters, who told him he needed to generate a “one-time password” (OTP) in order to reverse the transaction. With the information given by Mr. Smith, the fraudsters were then able to access his online banking service and make multiple payments, to themselves. In order to pay a new beneficiary, an OTP is sent to a customer’s registered mobile telephone number. Because Mr. Smith disclosed these details to the fraudsters voluntarily, Santander believed they were not under any obligation to refund his money. (The case is under review by Santander’s fraud team.)

Whose Fault Is It?

SMiShing is here to stay due to the proliferation of smart phones and their use for activities other than simply sending SMSs and making phone calls. Today smart phones are used for financial transactions, business enquiries, confirming membership or subscription to clubs and social networks, surfing the internet, and online shopping. In the workplace they are used to communicate with work colleagues and even to access corporate networks and data. Consultants and support staff sometimes use the same phone for personal and business purposes, leaving the company they work for vulnerable to security lapses staff may make outside business hours, e.g., using their phone for social networking or more “colorful” activities like dating, gambling, illegal drugs or porn.

Unfortunately cybercrime succeeds because it takes advantage not only of people’s baser motives but their fears, ignorance, and personal vulnerabilities. It may be argued that it is people who are the greatest security risk to themselves, not a particular operating system.

SMiShing Techniques

There are four main techniques SMiShers use:

Using a bogus link that lures you to a phisher-designed website that steals your credentials.

In the example below, note some of the clues that this may be a bogus SMS:

Walmart is spelled incorrectly and the recipient is addressed as “Client.” If you were a Walmart client, it is likely the company would address you by the name they have for you in their records.

Grammar mistakes used to be sure-fire clues that an SMS was bogus, but phishers are becoming more sophisticated and phishing networks often have language experts to design professional-looking messages—but they still tend to make mistakes.

Always look up a company’s telephone number in a directory and use that one rather than the one in a suspicious message (see point two below).

Sometimes a redirect link is obviously not from a reputable company, e.g., ngtov11.net, but professional criminals can hide this link quite easily. To check a seemingly genuine link is difficult on a smart phone. Always type the address in a browser rather than clicking on the link.

Using a phone number which, if you call it, will connect you with an extremely eloquent phisher who will attempt to extract personal information from you. With call centers being the support hub for most companies these days, many people don’t question a call center consultant’s credentials.

In the scenario below, a more indirect, and more pernicious, technique is used.Here the SMiSher is:

hoping first to connect with you on Facebook, learn more about you, your contacts and any information that can be gleaned from your Facebook profile,

and only then attack you by luring you to a bogus website, either via another SMiShing attack or on Facebook, where an attempt will be made to harvest your Facebook credentials or download malware onto your phone. Once your Facebook profile has been hacked, your contacts are at risk of being phished too. SMiShers don’t only use banks, the IRS, or corporate bigwigs as the purported senders of their messages. Messages may appear to be from a colleague, another department or even a (supposedly) mutual friend.

The fourth technique also involves getting you to click on a malicious link, but this time, once you arrive at the bogus website, you are prompted to download a program which is actually a Trojan horse (see the example below).SMiShers can also install Trojans, keystroke loggers, or botnet code on bring your own device (BYOD) phones that people use at home and at work. There is a staggering amount of information SMiShers can harvest when they are able to control a user’s phone from within (hence the name Trojan horse). Installing malware on employees’ phones makes SMiShing a potentially more serious threat to businesses’ security than their servers, cocooned as they are behind software and hardware firewalls.

Note: There is yet another SMiShing technique that is less obvious and is also a sales gimmick often used by legitimate service providers, which is why it’s not always easy to spot as a SMiShing attack: the practice of signing you up for services (such as weather, daily quotes, or horoscopes) that get billed directly to your phone. While the charges may seem small, they add up, making a nice passive income for a SMiSher who has more than one victim on his books. Another technique is to sign users up for “premium” text messages; these text messages can cost a lot of money and it’s quite difficult to unsubscribe. Where things go pear-shaped is when SMiShers get greedy and use these services to attack you maliciously; by getting you to click on links that download malware to your computer or to enter your personal details when you try to access your “premium” text messages.

Strategies

SMiShers are sometimes portrayed as dumb, but they are more often actually skilled marketers, students of sales psychology and very street smart. They often work in networks that include members with specialized roles, including designers of believable text templates, software developers, and sales people. And you thought used car salesmen were dodgy!

Any Information, No Matter How Seemingly Innocuous, Is Useful Information for a Phisher

A 2014 JPMorgan breach exposed personally identifiable information of 83 million customers but, at the time, JP Morgan hastened to assure customers that no bank account information, or more sensitive personal information such as social security numbers, had been compromised. ABC News, however, had another take on the event: “Much of the media coverage of the breach focused on the kind of information exposed—names, addresses, emails, phone numbers—as if that were good news, but in reality, it’s a disaster waiting to happen.” This kind of information, the agency said, may have had direct links to succeeding spates of SMiShing attacks against customers of the bank. In short, phone numbers and names may be just as valuable to a SMiSher as an account number or ID number.

Account Takeover (ATO) strategy

Scamicide’s This second-level tactic, ATO, is unfortunately very difficult to avoid. The solution is to avoid your details being hijacked in the first place by becoming as phishing-savvy as possible. I signed up for a free account at http://securityiq.infosecinstitute.com/ and, I am ashamed to say, failed the phishing savvy test twice in the same number of weeks. It’s not only non-experts who get fooled. Clicking a link with one eye on the screen and another on some meeting minutes can have disastrous consequences.

Direct Marketing

With all due respect to honest direct marketers, SMiShers use very similar techniques to snare their victims:

Like marketers, they expect only a small percentage of responses. They send out thousands of text messages hoping only for a few “hits.” It is tempting to send a rude response to an SMS that seems clearly not intended for you but remember that fraudsters now have you on their database as a human. They also know something more about you than they did before, e.g., that you don’t have a Walmart account. And the fact that you responded means your number is valid.

Like marketers, they know how to manipulate people’s vulnerabilities, vanities, greed and fears.

Like marketers, they create high-volume campaigns and meticulously create databases of the responses. They carefully analyze the response rates to their campaign (if not very high, they will change the style, format, content, or bogus sender’s name/ company).

What Makes Smart Phones Obvious Targets?

Trillions of text messages are sent out around the world every day, which means there’s a huge market of potential victims.

People tend to read their messages pretty soon after they receive them (statistics estimate within 15 minutes). This means SMiShers can get responses to their scams quickly because users tend to feel a sense of urgency to reply to SMSs.

SMS campaigns, fraudulent or not, are relatively easy and cost-effective, to set up. Plus, scammers can, must, be brief, and obviously the less said, the better.

While most people are aware of email scams, they’re often less aware of the dangers of cell phone scams. The most common web browsers have phishing protection built in to alert users to suspicious sites and users can generally hover their cursors over a link to display the real URL, but mobile phones don’t generally have the same built-in precautions.

Don’t Be Hoodwinked

Big Name Senders

Well-known companies are often used to dupe victims. Don’t be hoodwinked by scams like these:

An Apple SMiShing scam sent a text message purporting to inform the recipient that they need to login to verify and update their Apple ID or they would be unable to make any more purchases. Response trigger: Victim is afraid they’ll lose a privilege.

A popular PayPal message went something like this: “You spent $1993.27 USD at The Home Shop. If you did not make this transaction please call us immediately at 1-408-123-4567. Thank You.” Response trigger: Victim is afraid they’ve already been made a victim; it can’t get worse than this.

Barclays was used to alert users to “suspicious activity” in their account, and asked the recipient to improve their account security by clicking on a purportedly secure Barclays link to update their security software. Response trigger: Thank goodness someone is looking out for me.

In these cases, log in by typing the company’s genuine, known, URL. Always ensure you have an https (secure) connection and that there is a lock symbol in the address bar. If you need to phone, look the number up in the phone book.

Some Extraordinarily Cunning Examples

Victims get a text summoning them to jury duty, but if they want to excuse themselves they are invited to verify their Social Security ID via SMS. Eager to get out of jury duty, many victims will eagerly reveal their social security data. Don’t do it.

“We’re confirming you’ve signed up for our BDSM dating service. You will be charged $2/day unless you cancel your order: SMiShinglink.com/cancel.” The temptation to click on that particular link is quite understandable. Don’t do it.

Key Lessons to Be Learned

Keep your phone software up to date.

Never be intimidated by threats to your account security and act defensively.

Don’t assume that apparently high-profile companies that contact you are legitimate.

If a text message is urging you to act or respond quickly, remember this is one of the key tactics cybercriminals use to get you to act unthinkingly.

Go directly to websites rather than following links.

Phone companies using telephone numbers from the phone book to confirm they are genuine.

Summary

The good news is that if you’re careful what you click on and keep your software updated, you can avoid most scams.

Security specialists like Infosec Institute have resources to help you understand SMiShing and other cybercriminal activities and prevent you becoming a victim. Sign up for a free account at http://securityiq.infosecinstitute.com/ to browse their library of videos, blogs and news articles, or, as I did, take the test to see how phishing savvy you really are.

Job Titles

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam